With this preview, GitHub Enterprise Cloud accounts with Enterprise Managed Users (EMU) can decide to allow EMU enterprise traffic to github.com only via their existing corporate proxies. Unapproved traffic would be blocked.
With enterprise access restrictions via corporate proxies, you can now configure your network proxy or firewall to inject a header into your users’ web and API requests to github.com. This signal tells GitHub to block the request if it is from a user outside of your EMU enterprise – helping ensure that only the accounts you control are used on your corporate network. This enables highly regulated EMU customers to define a secure network strategy in order to reduce the risk of intentional or accidental data leaks by allowing access only to a strictly governed EMU enterprise.
This new network restriction covers API and UI access to github.com and will work in tandem with access rules that enable Copilot traffic to flow properly for enterprise managed users. Copilot access is managed using a different network policy that helps control which version of Copilot (Enterprise, Business, or Individual) is allowed on your network. See Configuring your proxy server or firewall for Copilot for detailed guidance on that GA feature.
This feature is currently available by request to EMU enterprises with licensed users. To request access, contact your account manager in GitHub’s Sales team or sign up here.
If you’re currently trialing EMU or are early in adopting an existing EMU environment, we recommend exploring GitHub Enterprise Cloud with data residency which offers a unique subdomain of GHE.com, so the proxy header is not required to differentiate traffic to your enterprise’s resources. This is the optimal solution for customers who have data residency needs in addition to applying network controls on public github.com access.
Learn more about restricting access to GitHub.com using a corporate proxy.